b'   AUDIT OF DOT\xe2\x80\x99S INFORMATION\nSECURITY PROGRAM AND PRACTICES\n       Department of Transportation\n\n       Report Number: FI\xe2\x80\x932010\xe2\x80\x93023\n      Date Issued: November 18, 2009\n\x0c                      Memorandum\n           U.S. Department of\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Audit of Information Security                                        Date:   November 18, 2009\n           Program, Department of Transportation\n           Report Number: FI-2010-023\n\n  From:    Calvin L. Scovel III                                                     Reply to\n                                                                                    Attn. of:   JA\xe2\x80\x9320\n           Inspector General\n\n    To:    Chief Information Officer\n\n           The Department of Transportation\xe2\x80\x99s (DOT) annual $3 billion information\n           technology (IT) portfolio is one of the largest among the Federal civilian agencies.\n           DOT\xe2\x80\x99s IT budget currently covers more than 400 information systems across 13\n           Operating Administrations\xe2\x80\x94nearly two-thirds of which belong to the Federal\n           Aviation Administration (FAA). DOT\xe2\x80\x99s financial systems manage and disburse\n           over $50 billion in Federal funds each year.\n\n           In May 2009, the White House reported on the urgent need to secure the Nation\xe2\x80\x99s\n           digital infrastructure from individuals who compromise, steal, change, or destroy\n           information vital to our economy and national security. 1 To protect information\n           and information systems that support Federal operations and assets from such\n           cyber threats, the Federal Information Security Management Act (FISMA) of 2002\n           requires agencies to develop, document, and implement agency-wide information\n           security programs. FISMA also requires agency program officials, chief\n           information officers (CIO), and inspectors general to conduct annual reviews of\n           their agency\xe2\x80\x99s information security program and report the results to the Office of\n           Management and Budget (OMB).\n\n           Consistent with FISMA and OMB requirements, our overall audit objective was to\n           determine the effectiveness of DOT\xe2\x80\x99s information security program and practices.\n           Specifically, we assessed DOT\xe2\x80\x99s (1) information security policy, (2) enterprise\n           level information security controls, (3) management of known information\n           security weaknesses, (4) system level security controls, and (5) controls over\n           privacy related information. As required by OMB, we also provided various\n           assessments and performance measures to OMB via its Web portal. 2\n\n           1\n               White House Report on Cyberspace Policy Review, May 2009.\n           2\n               OMB has designated this information as \xe2\x80\x9cFor Official Use Only.\xe2\x80\x9d Consequently, our submission to OMB is not\n               contained in this report.\n\x0c                                                                                                                      2\n\n\n\nTo conduct our work, we selected a representative subset of 45 departmental\nsystems and reviewed their compliance with National Institute of Standards and\nTechnology (NIST) and OMB requirements in seven areas: risk categorization,\nsecurity plans, annual control testing, contingency planning, certification and\naccreditation, incident reporting, and plan of actions and milestones. We also\nconducted testing to assess the Department\xe2\x80\x99s inventory of systems, its overall\nprocess of resolving information security weaknesses, certain privacy\nrequirements, configuration management, incident reporting, and security-\nawareness training. Our tests included analysis of data contained in the\nDepartment\xe2\x80\x99s Cyber Security Assessment and Management system, reviews of\nsupporting documentation, and interviews with departmental officials. We also\nused commercial scanning software to assess compliance with Federal Desktop\nCore Configuration (FDCC) requirements.          Our audit was conducted in\naccordance with generally accepted government auditing standards. See Exhibit A\nfor more details on our scope and methodology.\n\n\nRESULTS IN BRIEF\nDuring fiscal year 2009, DOT made notable improvements in two key areas.\nFirst, the Department\xe2\x80\x99s Office of the Chief Information Officer (OCIO) completed\nand issued its long-awaited information security policy that was required by\nFISMA in 2002\xe2\x80\x94the first step in building a sustainable information security\nprogram. This much-needed policy addressed all of NIST\xe2\x80\x99s 17 information\nsecurity control areas. Second, DOT significantly improved its Common\nOperating Environment\xe2\x80\x99s compliance with FDCC, which prescribes secure\nsettings for Windows XP software. 3 These actions are consistent with those\nrecommended in our October 2008 report. 4\n\nDespite these accomplishments, the Department has not made the progress needed\nto address other critical areas. As a result, the departmental information security\nprogram is not as effective as it should be, and is non-compliant with all key\nFISMA and OMB requirements. We noted weaknesses in five critical areas:\n\n\xe2\x80\xa2 First, the OCIO\xe2\x80\x99s security policy lacks key elements, such as identifying staff\n  that require specialized training to understand system security risks and their\n  role in mitigating those risks. Such omissions contributed to other deficiencies\n  we identified.\n\xe2\x80\xa2 Second, the Department has not demonstrated sufficient progress in\n  implementing enterprise-level controls. Specifically, not all of its operating\n\n3\n    The Common Operating Environment provides network infrastructure support to DOT Headquarters and remote\n    offices, except FAA.\n4\n    Audit of Information Security Program, OIG Report FI-2009-003, October 8, 2008. OIG reports and testimonies can\n    be found on our Web site at www.oig.dot.gov.\n\x0c                                                                                           3\n\n\n\n       systems and database systems have security baseline configurations; the\n       Department has no confirmation that all major security incidents reported to\n       the Department of Homeland Security were received; and it has not provided\n       essential security training to all employees and contract staff.\n\xe2\x80\xa2 Third, the Department has not effectively identified, tracked, or prioritized\n  information security weaknesses to efficiently resolve these weaknesses. Of\n  the approximately 5,400 DOT weaknesses that were tracked, about 1,000 were\n  not remediated in a timely manner. Further, about 300 were not assigned a\n  priority level and 2,400 lacked an estimated cost for remediation.\n\xe2\x80\xa2 Fourth, DOT has not provided adequate controls to protect or recover its\n  systems and system interfaces in the event of a disruption. For example, DOT\n  has not fully inventoried its system interfaces\xe2\x80\x94including 18 e-Government\n  initiatives, such as e-Payroll\xe2\x80\x94with external systems, and could not provide\n  security agreements for interfaces. Further, of the 45 DOT systems we\n  reviewed, we found that half were not appropriately certified and accredited,\n  did not have tested contingency plans, or both.\n\xe2\x80\xa2 Last, the Department has not fully protected privacy related information. DOT\n  lacks an accurate count of systems that are privacy related and did not\n  complete privacy impact assessments for at least 40 percent of these systems.\n  In addition, DOT has not made significant progress in meeting OMB\xe2\x80\x99s\n  requirement to reduce the use of social security numbers (SSN) by November\n  2009. FAA alone does not plan to satisfy this requirement until 2015. Finally,\n  DOT has not used sufficient authentication and encryption procedures to\n  control remote users\xe2\x80\x99 access to its networks.\n\nTo assist the agency in establishing and sustaining an effective information\nsecurity program\xe2\x80\x94one that complies with FISMA, OMB, and NIST\nrequirements\xe2\x80\x94we are making a series of recommendations, beginning on page 16.\nA draft of this report was provided to the Department\xe2\x80\x99s CIO on November 9,\n2009. On November 16, 2009 we received the CIO\xe2\x80\x99s response, which can be\nfound in its entirety in the Appendix. The CIO generally concurred with our\nfindings and recommendations and in 30 days will provide written comments\ndescribing the actions and milestones that will be taken to implement the\nrecommendations.\n\n\nBACKGROUND\nEnsuring a secure global digital information and communications infrastructure is\none of the President\xe2\x80\x99s seven guiding principles in protecting the American\npeople. 5 The White House subsequently reported that the Federal Government, as\n\n5\n    White House Issues: Homeland Security (www.whitehouse.gov/issues/homeland-security).\n\x0c                                                                                     4\n\n\n\nwell as the private sector, is facing new cyber security threats. These threats\ninclude terrorists and international crime groups who are targeting U.S. citizens,\ncommerce, critical infrastructure, and Government in order to steal, change, or\ndestroy information. Undeterred, these individuals have the potential to\nundermine national security, degrade civil liberties protections, and even cripple\nsociety.\n\nIn October 2008, we reported that the Department\xe2\x80\x99s information security program\nand practices did not effectively safeguard DOT\xe2\x80\x99s IT systems and information.\nSpecifically, we found that DOT had not established adequate policies,\nprocedures, and training to identify information-security weaknesses and protect\nor recover computer systems and networks, including those with personally\nidentifiable information (PII). We made 27 specific recommendations aimed at\naddressing these deficiencies. (See Exhibit C for a list of our recommendations\nand their implementation status.)\n\n\nDOT\xe2\x80\x99S INFORMATION                SECURITY         POLICY       LACKS        KEY\nELEMENTS\n\nFISMA requires the Chief Information Officer to develop and maintain\ninformation security policies, procedures, and control techniques to address\nsecurity requirements. In fiscal year 2009, the Department issued a series of 19\ninformation security policies. However, the policies lack critical elements to\neffectively and adequately guide the agency\xe2\x80\x99s information security program (see\nTable 1). The lack of an adequate policy increases the likelihood that Operating\nAdministrations will create internal practices and ad-hoc procedures, which may\nnot comply with OMB or DOT requirements. The deficiencies in DOT\xe2\x80\x99s\ninformation security policies have also contributed to the other weaknesses\ndocumented in this report.\n\x0c                                                                                                   5\n\n\n\nTable 1: Examples of Information Security Policy Deficiencies by\nProgram Area\n\nDescription                                   OIG Policy Evaluation\nIncident Reporting\nDetecting, reporting, and responding to       The policy does not document the requirement to\nsecurity incidents, including notifying law   report incidents to law enforcement and OIG as\nenforcement agencies and relevant OIGs.       required by FISMA and OMB.\nPlans of Action and Milestones\nThe POA&M tracks the measures                 The policy does not specifically identify the\nimplemented to correct deficiencies and to    required data elements to properly document and\nreduce or eliminate known vulnerabilities.    report on information systems\xe2\x80\x99 or programs\xe2\x80\x99\n                                              security weaknesses throughout the lifecycle as\n                                              required by OMB. Such information includes:\n                                              Description of Weaknesses, Scheduled\n                                              Completion Date, Key Milestones with Completion\n                                              Dates, Milestone Changes, Source (e.g., program\n                                              review, IG audit, GAO audit, etc.), and Status.\nSecurity Training\nDisseminate security information that the  The policy does not address the identification of\nworkforce, both employees and contractors, users with login privileges to the Department\nneed to do their job.                      information systems. In addition, it does not\n                                           identify specific job functions that require\n                                           specialized security training, such as CIO, ISSO,\n                                           Database Administrator, etc.\nContractor Oversight\nMonitor the effectiveness of security for     The policy does not contain contractor oversight\nsystems that support the operations and       provisions that would ensure that proper security\nassets of the agency, including those         for the contracted information and systems are in\nprovided or managed by another agency,        adherence with NIST, OMB, and FISMA\ncontractor, or other source.                  requirements.\nExternal Interfaces\nEnforces System                               The policy does not provide any guidance on the\nInterconnection/Information Sharing and       preparation of these critical interface agreements\nInterconnection Security Agreement,           nor does it address key elements of NIST\nMemorandum of Understanding, or               guidance.\nMemorandum of Agreement between\nsystems that share data that are owned or\noperated by different organizations.\nSource: OIG Analysis\n\n\n\nENTERPRISE-LEVEL CONTROLS WERE INADEQUATE\n\nEnterprise-level controls are controls that are implemented throughout the entire\norganization or infrastructure, such as configuration management, reporting of\nsecurity incidents, and security training. While DOT has made significant\nprogress in implementing security baseline configurations for Windows XP\noperating systems in the Common Operating Environment, it has not demonstrated\n\x0c                                                                                                             6\n\n\n\nsufficient progress for other operating systems and databases. In addition, the\nDepartment has not provided evidence that all security incidents, including those\nthat potentially breach PII, were reported to the Department of Homeland\nSecurity. Furthermore, while DOT has reported improvement to the number of\nemployees receiving security awareness training, it still cannot provide evidence\nthat all users received the training, including those requiring specialized security\ntraining.\n\nBaseline Configuration Standards Have Not Been Fully Implemented\n\nFISMA requires compliance with minimally acceptable system configuration\nrequirements for commercial software. Common security configurations provide a\nbaseline level of security and ensure efficient use of resources. To meet this\nFISMA requirement, the Department requested Operating Administrations to\nsubmit their configuration baseline and evidence of implementation. While all but\nthree Operating Administrations have begun implementation, including scanning\ntheir systems to assess compliance, their scanning results indicated a significant\namount of noncompliance needs to be remediated. Moreover, the three Operating\nAdministrations that have not provided evidence of implementation\xe2\x80\x94FAA,\nPHMSA, and SLSDC\xe2\x80\x94together account for 68 percent of systems.\n\nWithout complete implementation of baseline configuration standards, the\nDepartment has little assurance that its information systems are sufficiently\nprotected from known, exploitable weaknesses in key software. Inadequately\nconfigured software also increases security vulnerabilities, which could impact\nDOT\xe2\x80\x99s mission and business operations. In our May 2009 report on Web security,\nwe noted that the inadequate configuration of Web applications contributed to\nhackers (1) compromising an FAA Web site to access an internal server, and (2)\ntaking over FAA computers in Alaska. 6\n\nTo meet OMB requirements for system configuration, DOT Acquisition Policy\nLetter APL-2007-01 states that contracting officers should include clauses in all IT\nsolicitations requiring compliance with Federal security standards for Windows\nXP and Vista software no later than August 7, 2007. During our review, we found\nno evidence in FAA\xe2\x80\x99s Acquisition Management System (AMS) or DOT\xe2\x80\x99s PRISM\nsystem contracts that the required acquisition language on common security\nconfigurations was being incorporated. Without this language, DOT cannot\nensure efficiency and security of its overall IT operations and implementation of\nsecurity controls on DOT systems.\n\n\n\n6\n    Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems, OIG Report\n    FI-2009-049, May 4, 2009. OIG reports and testimonies can be found on our Web site at www.oig.dot.gov.\n\x0c                                                                                                                         7\n\n\n\nThe Department Lacks Assurance that All Security Incidents Were\nReported to US-CERT\n\nAccording to DOT, when a security incident is logged, it is automatically reported\nto the United States Computer Emergency Readiness Team (US-CERT), and a\nreference number is generated for the security incident. Between July 1, 2008, and\nJune 30, 2009, DOT had a total of 2,049 confirmed security incidents that needed\nto be reported to US-CERT. Yet 743, or 36 percent, of the security incidents did\nnot have a US-CERT reference number recorded in DOT\xe2\x80\x99s incident logging\nsystem (see Table 2). Among these incidents, 107 security incidents pertained to\npotential or confirmed PII breaches and should have been reported within 1 hour.\nWithout US-CERT reference numbers, DOT cannot determine if the Department\nof Homeland Security received this information, undermining the Government\xe2\x80\x99s\nability to properly coordinate among Federal agencies to defend against cyber\nattacks.\n\nTable 2: Summary of Incidents Missing US-CERT Reference Numbers\n                                                                     Incidents Missing\n                         a\nUS-CERT Category                                                   Reference Numbers                   Percentage\nCategory 1: Unauthorized Access (e.g., PII breach)                                      107                       14\nCategory 2: Denial of Service (DOS)                                                        0                        0\nCategory 3: Malicious Code                                                              393                       53\nCategory 4: Improper Usage                                                              170                       23\nCategory 5: Scans/Probes/Attempted Access                                                73                       10\nTotal Security Incidents                                                                  743                      100\n So ur c e: OI G Ana l ys i s\n a\n   US - CE RT Ca te go r y 0 ( E xer ci se /T es t) a nd C ate g o r y 6 ( U nco n f ir me d I nc i d en t s) we r e\n   no t i nc l ud ed i n o ur a na l ys i s b eca u se t he y ar e no t r eq u ir ed to b e r ep o r t ed to U S -\n   CE RT .\n\n\n\nThe Department Cannot Identify All Contract Personnel for Security\nAwareness Training and All Personnel Requiring Specialized Security\nTraining\n\nSecurity Awareness Training\n\nNIST guidance calls for building and maintaining a comprehensive security\nawareness and training program that ensures all users are sufficiently trained in\ntheir security responsibilities and how to fulfill them before allowing them access\nto DOT information systems. 7 DOT training policy requires that all DOT Line of\nBusiness and Operating Administration (LoB/OA) CIOs ensure basic security\n\n7\n    Users may include employees, contractors, foreign or domestic guest researchers, other agency personnel, visitors,\n    guests, and other collaborators or associates requiring access.\n\x0c                                                                                       8\n\n\n\nawareness training is provided to all DOT information system users before\nauthorizing access to the system, upon system changes, and at least annually\nthereafter.\n\nWhile most of the 57,000 DOT employees have received security awareness\ntraining, the Department could not ensure that all contractors with login privileges\nhad completed the annual security awareness training because the various sources\nof information pertaining to contractor staff could not be reconciled. The\nDepartment reported that approximately 14,000 contractor staff were given access\nto DOT networks. Using data from the Cyber Security Assessment and\nManagement (CSAM) system\xe2\x80\x94the Department\xe2\x80\x99s information security reporting\nsystem\xe2\x80\x94we estimated that about 11,000 contractor staff were trained during the\nreporting period. However, various training systems showed that about 27,000\ncontractor staff\xe2\x80\x94almost twice the number of contractor staff DOT reported\xe2\x80\x94were\ntrained. Until the Department can accurately track contractor staff and users of\nDOT networks, it has no assurance that security awareness training is provided to\nall people who require it.\n\nSpecialized Security Training\n\nDOT policy requires Operating Administrations to determine the appropriate\ncontent of specialized security training based on the specific requirements of their\norganization and systems that employees and contractors have access to. It also\nrequires Operating Administrations to provide to system owners, system and\nnetwork administrators, and other personnel having access to system-level\nsoftware with adequate specialized security training to perform their assigned\nduties.\n\nHowever, not all employees with significant security responsibilities are receiving\nspecialized security training. The Department reported 884 employees with\nsignificant security responsibilities. This number did not include approximately 63\nin nine Operating Administrations\xe2\x80\x94including nine OA Chief Information\nOfficers\xe2\x80\x94who should have received specialized training. Our estimate was based\non eight job functions that require specialized training as documented by NIST\n800-16. The job functions included Chief Information Officer, Security Officer,\nSystem Administrator, System Developers, Network Administrator, Database\nAdministrator, System Certifier, and Designated Authorizing Authority (DAA)\n(see Table 3).\n\x0c                                                                                                                     9\n\n\nTable 3: Unreported Job Functions & Estimated Employees Requiring Specialized\nTraining\n\n\n\n\n                                                                                                        Unreported\n                                                       MARAD\n\n                                                               NHTSA\n\n\n\n\n                                                                                          SLSDC\n\n\n\n\n                                                                                                        Total\n                                                                                   RITA\n                                          FRA\n\n\n\n\n                                                                             OST\n\n\n\n\n                                                                                                  STB\n                                                FTA\n\n\n\n\n                                                                       OIG\nUnreported Categories\nChief Information Officer                1      1     1        1       1     1     1      1       1         9\nISSO/ISSM                                       1                            1            1       1         4\nSystem Administrator                     1      1     1        1             1     1      1       1         8\nSystem Designer/Developers               1      1     1        1       1     1     1      1       1         9\nNetwork Administrator                    1      1     1        1             1     1      1       1         8\nDatabase Administrator                   1      1     1        1       1     1     1      1       1         9\nSystem Certifier                         1      1     1        1             1     1      1       1         8\nDesignated Authorizing Authority         1      1     1        1             1     1      1       1         8\nTotal Unreported                          7      8    7        7       3     8     7      8       8       63\nSource: OIG Analysis\na\n  See Exhibit B for full Operating Administration names.\n\nPersonnel in other job functions also have access to system level software and,\ntherefore, require specialized training. OIG IT management is in the process of\nevaluating which OIG staff requires specialized security training. To date, it has\nreported to the OCIO that at least 13 others, in addition to the three identified in\nthe table and the one reported earlier to OCIO, require some degree of specialized\ntraining. As a result of not adequately identifying those employees with\nsignificant security responsibilities and providing them with the required\nspecialized training, these employees may not have the correct skill set needed to\nperform their security responsibilities. Consequently, Department information\nsystems are at risk of not appropriately securing the information and information\nsystems.\n\n\nTHE DEPARTMENT LACKS AN EFFECTIVE PROCESS TO\nREMEDIATE INFORMATION SECURITY WEAKNESSES\n\nFISMA requirements for agency information security programs include a process\nfor planning, implementing, evaluating, and documenting remedial actions to\naddress information security weaknesses. However, the department process is not\neffective. Key concerns are weaknesses in management oversight and reporting of\nopen security weaknesses.\n\x0c                                                                                                                                                                      10\n\n\n\nManagement Oversight Approach Is Ineffective\n\nIn February 2009, the DOT OCIO began meeting monthly with Operating\nAdministrations to address information security concerns. Despite these meetings,\nthe percentage of overdue items increased from 13 percent to 17 percent over the\npast year. There were also a significant number of items that had been overdue for\nmore than one year\xe2\x80\x93\xe2\x80\x93a total of 351 items. Almost 95 percent of these items came\nfrom DOT Programs, FHWA, PHMSA, and STB (see Table 4).\n\nTable 4: Summary of Overdue POA&Ms\n\n\n\n\n                                                                                                                                                                Future Scheduled\n                                                                                            121 days - 1 year\n\n\n\n\n                                                                                                                                             Completion Date\n\n\n                                                                                                                                                                Completion Date\n                                                                                                                             Total Overdue\n                                                                          91 - 120 days\n                           Total Open\n\n\n\n\n                                                         61 - 90 days\n                                          1 - 60 days\n                           POA&Ms\n\n\n\n\n                                                                                                                                             No Target\n                                                                                                                  > 1 yr\nOperating\n               a\nAdministration\nDOT Programs                 69           0              0                0                 1                   64          65                      1                  3\n\nFAA                      4,397          148             34              14                56                      9        261                      7          4,129\n\nFHWA                       514          52               0                1               73                    89         215                      0           299\n\nFMCSA                          3          0              0                0                 0                     2          2                      0                  1\n\nFRA                          20         20               0                0                 0                     0         20                      0                  0\n\nFTA                          50           5              7                0               23                      0         35                      0              15\n\nMARAD                          0          0              0                0                 0                     0          0                      0                  0\n\nNHTSA                          7          0              0                0                 0                     6          6                      0                  1\n\nOIG                          18           2              2                2                 8                     0         14                      2                  2\n\nOST                        149          10               0              127                 0                     0        137                      1              11\n\nPHMSA                      128            0              0                0                 0                   128        128                      0                  0\n\nRITA                         19           0              0                0                 0                     1          1                  18                     0\n\nSLSDC                          1          0              0                0                 0                     0          0                      1                  0\n\nSTB                          67           0              0                0                 0                   52          52                  15                     0\nTotal                    5,442          237             43              144               161                   351        936                  45             4,461\nPercentage                            4%        1%       3%                               3%                    6%         17%               1%                 82%\nSource: DOT Open POA&Ms in CSAM as of July 15, 2009\na\n  See Exhibit B for full Operating Administration names.\n\nOperating Administrations did not meet Department requirements for addressing\nsecurity weaknesses. Specifically, Operating Administrations did not do the\nfollowing:\n\x0c                                                                                                     11\n\n\n\n\xe2\x80\xa2 Assign a priority and the time for remediation within the allowed time\n  constraints\xe2\x80\x94high-priority (24 hours), moderate-priority (20 working days),\n  and low-priority (about 3 months)\xe2\x80\x94to 395 security weaknesses, 330 of which\n  were for systems or programs categorized as "High" and "Moderate" to the\n  mission of the Department.\n\xe2\x80\xa2 Establish target completion dates for 45 items or target completion dates within\n  the maximum time allowed by policy for 2,635 out of 4,461 items. Of the\n  2,635, 64 security weaknesses are not scheduled for remediation until 2015.\n\xe2\x80\xa2 Estimate costs needed to fix 2,393 items out 5,442.\n\nIn addition, Operating Administrations did not record all identified security\nweaknesses in the plan of action and milestones (POA&M) database for 32 of the\n45 systems that we selected for review this year. In particular, MARAD did not\ninput any known security weaknesses in the POA&M database.\n\nManagement Reporting Is Unreliable\n\nWe found significant discrepancies between the POA&M database and the\nSecurity and Privacy Posture Summary Status Report, dated July 2, 2009, used by\nthe CIO office to monitor Operating Administrations\xe2\x80\x99 progress in correcting\nidentified security weaknesses (see Table 5).\n\nTable 5: OIG POA&M Data Analysis Comparison Results\n                                            OCIO\xe2\x80\x99s Report             POA&M           Difference\n                                                                     Database\n Total number of open POA&Ms                          4,674              5,442                768\n POAMs not categorized                                  247                395                148\n Unidentified cost                                         0             2,393              2,393\nOverdue POA&Ms                                            276                  936             660\nSource: CIO\xe2\x80\x98s Security and Privacy Posture Summary Status Report dated July 2, 2009 and DOT Open\n       POA&Ms in CSAM as of July 15, 2009\n\nWithout proper management of a compliant POA&M process, there is little\nassurance that its systems are adequately secured and protected. Specifically,\nwithout documenting security weaknesses, estimating cost, prioritizing risk, or\nupdating milestones such as scheduled completion dates to resolve or mitigate all\nweaknesses, it is difficult or impossible for the Department and the Operating\nAdministrations to adequately prioritize and resolve open weaknesses. As a result,\nweaknesses of lesser urgency may get resolved before critical ones. In addition,\nallowing weaknesses to remain unaccounted, unresolved or unmitigated for\nextended periods increases the risk that such vulnerabilities and exposures may be\nexploited by intruders, or may otherwise compromise the confidentiality,\navailability or integrity of systems and data.\n\x0c                                                                                      12\n\n\n\n\nSYSTEMS ARE NOT ADEQUATELY PROTECTED OR TESTED TO\nENSURE RECOVERY\nThe Department continues to lack an accurate and complete inventory of its\ninformation systems and related interfaces and a process to ensure system owners\nhave complete information to approve systems. Without such information, DOT\ncannot ensure its information systems are protected or can be recovered.\n\nSpecifically, DOT does not have an inventory of system interfaces, including 18 e-\nGovernment initiatives, with external systems and could not provide security\nagreements for interfaces. In addition, MARAD did not inventory systems\ncorrectly and did not perform adequate security testing to ensure protection of\nsensitive information. Of the 45 DOT systems reviewed, we found that half were\nnot appropriately certified and accredited, did not have tested contingency plans,\nor both.\n\nThe Department\xe2\x80\x99s Inventories of MARAD Systems and External\nSystem Interfaces Are Not Comprehensive\n\nFISMA requires agencies to develop, maintain, and annually update inventories of\nthe major information systems, including interfaces to external systems, that they\noperate or control. These inventories are used to track agency systems for annual\ntesting and evaluation and contingency planning. As such, a complete and\naccurate inventory of major information systems is the first step in managing the\nagency\xe2\x80\x99s information technology resources, including the security of those\nresources. Further, OMB requires an Interconnection Security Agreement,\nMemorandum of Understanding, or Memorandum of Agreement between systems\nthat share data and are owned or operated by different organizations.\n\nDOT had no major weaknesses in accounting for its internal systems. However,\nMARAD did not use an appropriate methodology to develop its system inventory.\nMARAD classified 35 of its applications as minor and then proceeded to group\nthem into eight different systems for certification and accreditation. The systems\ncontained unrelated applications that did not comprise a system boundary suitable\nfor certification and accreditation. As a result of inappropriate system grouping,\ncomponent applications did not receive proper security review. For example, one\nsystem had five applications; however, there is no evidence that two applications\nwere reviewed as part of the certification and accreditation process. Without a\nwell developed inventory, it is almost impossible to determine if system-level\ncontrols are implemented or effective, or to track security metrics for systems. In\naddition, as changes occur to systems, it is difficult to reassess system level\ncontrols or to enforce security at the system level.\n\x0c                                                                                                                     13\n\n\n\nWhile the Department could generally account for its internal systems, it was\nunable to provide a list of all interfaces with external systems. For example, 18 e-\nGovernment initiatives, including e-Payroll and GovTrip, were not included in the\ninventory. Also, the Department could not provide required security agreements\nfor those interfaces. Without an accurate inventory of interfaces, the Department\ncannot ensure that the interfaces are being managed properly or that the\ninformation transmitted over these interfaces is secured.\n\nCertification and Accreditation and Contingency Plan Testing Are Not\nAdequate\n\nFISMA requires agencies to report on their certification and accreditation of\nsystems\xe2\x80\x94a process to formally evaluate (certify) the management, operational,\nand technical controls established in an information system\xe2\x80\x99s security plan and\nauthorize (accredit) the systems for operation. However, DOT\xe2\x80\x99s certification and\naccreditation process does not provide complete information to support risk-based\ndecisions or ensure that security controls are updated or tested on a periodic basis.\n\nOf the 45 DOT systems we reviewed, 25 were not compliant with the certification\nand accreditation standards in NIST 800-37 (see Table 6). Specifically, Operating\nAdministrations were deficient in performing risk categorizations and\nassessments, security control selection and testing, and contingency plan testing.\nWe also found that nine of the 45 systems (20 percent) did not test controls in the\nlast 12 months, as required by OMB. 8 In addition, 22 of the 45 did not have tested\ncontingency plans.\n\nIncomplete or inadequate system security assessments may result in the approval\nof operating systems that have risks. Such risks include exploitable vulnerabilities\nthat result from missing or weak controls and inadequate security planning. In\naddition, without complete security and contingency testing, systems may be\noperating with critical new or unresolved weaknesses and risk not being recovered\nin time to minimize business disruption.\n\n\n\n\n8\n    OMB requires agencies to test a subset of the security controls annually\xe2\x80\x94as part of its continuous monitoring\xe2\x80\x94\n    subsequent to the initial authorization of the information system.\n\x0c                                                                                                                             14\n\n\n\nTable 6: Sample Systems Results Summary by Operating\nAdministration\n\n\n\n\n                                                                               MARAD\n\n\n\n\n                                                                                                     PHMSA\n                                                           FMCSA\n\n\n\n\n                                                                                       NHTSA\n                                                    FHWA\n\n\n\n\n                                                                                                                     Total\n                                                                                                             RITA\n                                             FAA\n\n\n\n\n                                                                   FRA\n\n\n\n\n                                                                                               OST\n                                                                         FTA\nNumber of Systems\n                                           28      1       3       1     2     1       1       6     1       1      45\nSampled\nSystems without Fully\n                                           22      0       0       0     0     1       0       2     0       0      25\nCompliant C&As\nSystems without Annual\n                                            5      0       2       0     0     1       1       0     0       0       9\nTesting\nSystems without Tested\n                                           16      1       0       1     0     1       0       2     1       0      22\nContingency Plans\nSource. OIG Analysis\na\n  See Exhibit B for full Operating Administration names.\n\n\n\nPRIVACY PROTECTION PROGRAM STILL NOT MEETING OMB\nREQUIREMENTS\n\nWhile the Department has made some progress in completing OMB privacy\nprotection requirements, it lacks a reliable count of systems that are privacy\nrelated and did not complete privacy impact assessments for at least 40 percent of\nthese systems. In addition, DOT has not implemented key privacy initiatives,\nincluding reducing the use of SSNs\xe2\x80\x94a process which OMB required to be\ncompleted by November 2009\xe2\x80\x94and using appropriate authentication or\nencryption for controlling remote access to its networks.\n\nCount of Systems Containing Privacy Information Is Unreliable and\nPrivacy Impact Analyses Are Incomplete\n\nOMB policy established criteria and instructions for agencies to manage systems\ncontaining privacy information. Specifically, OMB policy requires agencies to (1)\nconduct privacy impact assessments for electronic information systems that collect\nidentifiable information, (2) report annually to OMB on compliance with section\n208 of the E-Government Act of 2002 9, and (3) submit completed assessments to\nOMB no later than October 3, 2003.\n\nAccording to the Security and Privacy Posture Summary Status Report, DOT has\nnot completed privacy impact assessments for at least 40 percent of the systems\nthat require one (48 of 116)\xe2\x80\x94almost six years after they were required. Without\n\n9\n    OMB requires agencies to address information technology systems or information collections for which PIAs were\n    conducted, persistent tracking technology uses, agency achievement of goals for machine readability, and contact\n    information of the person responsible for privacy policies.\n\x0c                                                                                                           15\n\n\n\ncompleting all privacy impact assessments, the Department cannot fully ensure\nthat private information collected is only used for its intended purpose and is not\ndisseminated without individual consent and knowledge.\n\nConducting the assessments is problematic in part because DOT lacks an accurate\ncount of its privacy systems. Last year, the Department reported that 109 systems\ncontained PII. In September 2009, 140 systems in the Department\xe2\x80\x99s security\ndatabase were identified as containing PII. However, the Security and Privacy\nPosture Summary Status Report showed a count of 201 PII systems, a discrepancy\nof about 60 systems. Without a valid inventory of systems that have privacy\ninformation, the agency has little assurance in the integrity of the privacy\ninformation reported or the confidentiality of PII contained in systems that may be\nmissing from the inventory.\n\nThe Department Has Not Implemented Key Privacy Initiatives\n\nThe Department has also failed to fully implement three key OMB requirements to\nsafeguard privacy-related information: reduce the use of SSNs, employ two-factor\nauthentication, and encrypt mobile devices that contain PII (see Table 7). As a\nresult, the Department cannot ensure that all PII is properly protected or minimize\nthe risks that SSNs are exposed to parties who do not have a legitimate need to\nknow or possess them.\n\nTable 7: DOT Implementation of OMB Privacy Initiatives\n\n    OMB Initiative                             Status\n    Complete SSN reduction and PII              DOT identified 25 systems that can reduce\n    volume reduction.                           use of SSNs. Only 5 systems have\n                                                completed a plan to do so. In addition, FAA\n                                                does not plan to eliminate unnecessary use\n                                                of SSNs until 2015.\n    Allow remote access only with two-          Two-factor authentication delayed until DOT\n    factor authentication where one of          implements Homeland Security Presidential\n    the factors is provided by a device         Directive 12.\n    separate from the computer gaining\n    access.\n    Ensure that all PII data stored or          As of July 2, 2009, 592 out of 11,723 mobile\n    carried on mobile computers/                devices from the Department have not had\n    devices is encrypted using NIST-            NIST approved encryption applied. (No data\n    approved encryption.                        were available for FAA and FHWAa)\nSo ur c e: OI G An al ys i s\na\n OMB requires encryption on any device used to store information that can be physically transported\n outside of the agency\xe2\x80\x99s secured, physical perimeter (this includes information transported on removable\n media and on portable/mobile devices such as laptop computers and/or personal digital assistants).\n\x0c                                                                                         16\n\n\n\nCONCLUSION\n\nThis past year DOT made progress in establishing an effective information\nsecurity program by issuing overdue information security policies. These policies\nwill serve as the starting point to improve DOT\xe2\x80\x99s information security program.\nHowever, because most DOT systems are owned and managed by the Operating\nAdministrations, ensuring proper implementation and execution of these security\npolicies will require strong leadership, greater influence, and oversight by the\nDOT OCIO, and management commitment from Operating Administration\nAdministrators to achieve a mature information security program that is\nsustainable. Until DOT addresses known weaknesses in its program, it will\nremain vulnerable to unauthorized and potentially malicious parties.\n\n\nRECOMMENDATIONS\n\nRecognizing the challenges to develop a mature information security program\nfrom what DOT has currently in place, we are providing a number of actions that\nmay serve as a roadmap to address urgent vulnerabilities currently inherent in the\nprogram. To mitigate these weaknesses and enable DOT\xe2\x80\x99s information security\nprogram evolution towards an appropriate level of maturity, we recommend that\nthe Chief Information Officer do the following:\n\nInformation Security Policy:\n\n1.   Revise the incident response policy to identify conditions under which\n     incidents should be reported to law enforcement (i.e., OIG), how the\n     reporting should be performed, what evidence should be collected, and how it\n     should be collected.\n2.   Revise the plan of action and milestones policy to address all the OMB\n     requirements, including description of weakness, scheduled completion date,\n     key milestones, changes to milestones, source of the weakness, and status.\n3.   Revise the security awareness and training policy to include the identification\n     of all users, such as employees, contractors, and others requiring access to\n     DOT information systems. Include provisions in the policy to separate these\n     active user accounts from the non-person accounts.\n4.   Revise training policy to list the job functions that require specialized\n     security training and the type of specialized training that is required for those\n     job functions as described in NIST SP 800-16.\n5.   Revise policy to address security of information and information systems\n     managed by contractors, including information security roles and\n     responsibilities, security control baselines and rules for departures from\n     baseline, and rules of behavior for contractors and minimum repercussions\n     for noncompliance.\n\x0c                                                                                            17\n\n\n\n6.    Revise the interface agreement policy to incorporate necessary elements,\n      such as purpose of the interconnection, description of security controls,\n      schematic of interconnection, timelines for terminating or reauthorizing the\n      interconnection, and authority of establishing the interconnection.\n\nEnterprise-Level Weaknesses:\n\n7.    Ensure that the Federal Aviation Administration, Saint Lawrence Seaway\n      Development Corporation, and Pipeline and Hazardous Materials Safety\n      Administration have deployed DOT approved configuration baselines and\n      tools to assess implementation status.\n8.    Use automated tools to periodically verify status of completion reported by\n      Operating Administrations and identify deviations from the approved\n      baseline configurations.\n9.    Require Operating Administrations to manage identified deviations from\n      approved baseline configurations by tracking and resolving significant\n      baseline configuration weaknesses in plan of actions and milestones.\n10.   Work with Operating Administration Chief Information Officers to ensure\n      that all new IT contracts include the acquisition language on common\n      security configurations as required by DOT and OMB M-07-18.\n11.   Work with the CSMC to develop a process to ensure that all Department of\n      Homeland Security reference numbers are received and entered into the DOT\n      tracking system for confirmation.\n12.   Develop and establish a tracking system that effectively and routinely\n      accounts for all active contractors requiring security awareness training.\n13.   Develop a mechanism to enforce that all employees including contractors\n      with login privileges have completed the required annual security awareness\n      training in order to gain and maintain access to Department information\n      systems.\n14.   Identify and ensure all employees with significant security responsibilities\n      take the necessary specialized security training to fulfill their responsibilities.\n\nManagement of Security Weaknesses:\n\n15. Monitor, and report to the Deputy Secretary, Operating Administrations\xe2\x80\x99\n    progress in resolving long overdue security weaknesses, reestablishing target\n    completion dates in accordance with departmental policy, providing cost\n    estimation for fixing security weaknesses, prioritizing weaknesses, and\n    recording all identified security weaknesses in plan of actions and milestones.\n16. Ensure accurate information is used to monitor Operating Administrations\xe2\x80\x99\n    progress in correcting security weaknesses.\n\x0c                                                                                     18\n\n\n\nInformation System Security:\n\n17. Require Chief Information Security Officer and Operating Administrations\n    conduct a review to identify all interfaces with systems external to the\n    Department, ensure related security agreements are adequate, and track them\n    in the Cyber Security Assessment and Management system.\n18. Ensure that Maritime Administration properly inventories its information\n    systems and tracks them in the Cyber Security Assessment and Management\n    system.\n19. Ensure that Maritime Administration certifies and accredits each system in\n    the revised inventory.\n20. Improve its quality assurance checks on the Operating Administrations\xe2\x80\x99\n    certifications and accreditations by increasing the frequency and scope of its\n    checks, communicating results and expected actions to the Operating\n    Administrations, requiring updated plan of actions and milestones to address\n    weaknesses noted (including those found in the Inspector General reviews),\n    and follow-up on resolution of weaknesses noted.\n21. Require Federal Aviation Administration, Federal Highway Administration,\n    Federal Railroad Administration, Maritime Administration, Office of the\n    Secretary of Transportation and Pipelines and Hazardous Materials Safety\n    Administration to conduct system contingency testing of the systems that did\n    not have evidence that of such tests.\n22. Develop a process to ensure Operating Administrations continuously monitor\n    and test information system security controls.\n\nPrivacy Program:\n\n23. Finalize the inventory count for systems containing privacy information.\n24. Work with Operating Administrations to complete privacy impact\n    assessments for applicable information systems.\n25. Work with the Federal Aviation Administration to establish a reasonable\n    target date for the completion of the reduction of social security numbers\n    recorded in its systems.\n26. Implement 2-factor authentication for remote access.\n27. Implement NIST-approved encryption on all mobile computers/devices.\n\x0c                                                                                       19\n\n\n\nMANAGEMENT COMMENTS\n\nA draft of this report was provided to the Department\xe2\x80\x99s CIO on November 9,\n2009. On November 16, 2009, we received the Department CIO\xe2\x80\x99s response,\nwhich can be found in its entirety in the Appendix. The CIO generally concurred\nwith our findings and recommendations and will provide, in 30 days, written\ncomments describing the specific actions and milestones that will be taken to\nimplement the recommendations.\n\nACTIONS REQUIRED\n\nWe will review the Chief Information Officer\xe2\x80\x99s detailed action plans to determine\nwhether they satisfy the intent of our recommendations. All corrections are\nsubject to follow-up provisions in DOT Order 8000.1.C. We appreciate the\ncourtesies and cooperation of the CIO Office and the Operating Administrations\xe2\x80\x99\nrepresentatives during this audit. If you have any questions concerning this report,\nplease call me at (202) 366-1959; Ann Calvaresi-Barr, Principal Assistant\nInspector General for Auditing and Evaluation, at (202) 366-1427; or Rebecca C.\nLeng, Assistant Inspector General for Financial and Information Technology\nAudits, at (202) 366-1407.\n\n\n\ncc: Deputy Secretary\n    Assistant Secretary for Budget and Programs/Chief Financial Officer\n    CIO Council Members\n    Martin Gertel, M-1\n\x0c                                                                                        20\n\n\n\nEXHIBIT A. Scope and Methodology\n\nThe Federal Information Security Management Act of 2002 (FISMA) requires that\nwe perform an independent evaluation to determine the effectiveness of the\nDepartment\xe2\x80\x99s information security program and practices. FISMA further requires\nthat our evaluation include testing of a representative subset of systems and an\nassessment, based on our testing, of the Department\xe2\x80\x99s compliance with FISMA\nand applicable requirements. On August 20, 2009, the Office of Management and\nBudget (OMB) issued M-09-29, FY 2009 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management, which\nprovides instructions for inspectors general for completing their FISMA\nevaluations and the required OMB template. For 2009, OMB has required the use\nof a common Web portal to upload its required metrics\xe2\x80\x94a significant number of\nwhich have changed.\n\nTo meet FISMA and OMB requirements, we selected a representative subset of 45\ndepartmental systems (see Table 8) and reviewed the compliance of these systems\nwith NIST and OMB requirements in the areas of risk categorization, security\nplans, annual control testing, contingency planning, certification and accreditation,\nincident handling, and plans of actions and milestones. We also conducted testing\nto assess the Department\xe2\x80\x99s inventory, its overall process of resolving information\nsecurity weaknesses, certain privacy requirements, configuration management,\nincident reporting, security-awareness training, and peer-to-peer file sharing. Our\ntests included analysis of data contained in the Department\xe2\x80\x99s Cyber Security\nAssessment and Management system, reviews of supporting documentation, and\ninterviews with departmental officials. We also used commercial scanning\nsoftware to assess compliance with Federal Desktop Core Configuration\nrequirements.\n\nTable 8. OIG\xe2\x80\x99s Representative Subset of DOT Systems\n Operating                                                  Impact      Contractor\n Administration System                                       Level       System?\n                Accident/Incident & Enforcement\n FAA            Query Tool (AIE)                           Moderate         No\n FAA            ASH HQ LAN                                 Moderate         No\n FAA            ASH LANS                                   Moderate         No\n FAA            ATO Consolidated LAN                         Low            No\n FAA            ATO Network                                Moderate         No\n                Aviation Safety Information Analysis\n FAA            and Sharing (ASIAS) System                 Moderate         No\n                Capability and Architecture Tool Suite\n FAA            (CATS-I)                                      Low           No\n                Collaborative Routing Coordination\n FAA            Tool (CRCT)                                   Low           No\n\nExhibit A. Scope and Methodology\n\x0c                                                                                 21\n\n\n\n Operating                                                Impact    Contractor\n Administration System                                     Level     System?\n FAA            Delphi Tracking System (DTF)             Moderate      No\n                Eastern Region Office of Government\n FAA            Ethics \xe2\x80\x93 450 (OGE-450)                   Moderate      No\n                Enterprise Architecture Portal (EAP)\n FAA            Metadata Repository                        Low         No\n                Excellence through Quality Reliance\n FAA            (EtQ)                                    Moderate      No\n                Flight Service for the 21st Century\n FAA            (FS21)                                   Moderate      No\n                Flight Systems Laboratory Software\n FAA            Tool Set (FSL Tools)                       Low         No\n                Information Technology Asset\n FAA            Management System (ITAMS)                  Low         No\n                Integrated Rulemaking Management\n FAA            Information System (IRMIS)                 High        No\n                Monitor Safety Related Data / Aviation\n                Safety Accident Prevention Program\n FAA            (MSRD/ASAP)                              Moderate      No\n                NADIN Message Switch Rehost\n FAA            (NMR)                                    Moderate      No\n                National Airspace System Technical\n FAA            Evaluation Program (NASTEP)                Low         No\n                Office of Airports Local Area Networks\n FAA            (ARP LANS)                               Moderate      No\n                Operations Specifications Sub-System\n FAA            (OPSS)                                    High         No\n FAA            Payback                                  Moderate      No\n                Risk Based Resource Targeting\n FAA            (RBRT)                                   Moderate      No\n                Safety Program Notification System\n FAA            (SPANS)                                  Moderate      No\n                Selections Within Faster Times\n FAA            (SWIFT)                                  Moderate      No\n                Staffing and Cost Analysis Tool\n FAA            (SCAT)                                   Moderate      No\n                Voice Switching and Control System\n FAA            (VSCS)                                   Moderate      No\n                Whistleblower Protection Program\n FAA            (WBPP)                                     High        No\n                Delphi Interface Maintenance System\n FHWA           (DIMS)                                     High        No\n                Commercial Vehicle Information\n                Systems & Networks (CVISN) Web\n FMCSA          Site                                       Low         No\n FMCSA          COMPASS                                  Moderate      No\n FMCSA          Gotham                                   Moderate      No\n FRA            Railroad Credit Risk Assessment            Low         No\n FTA            FTA Inter/Intranet                       Moderate      Yes\nExhibit A. Scope and Methodology\n\x0c                                                                                    22\n\n\n\n Operating                                                  Impact    Contractor\n Administration        System                                Level     System?\n FTA                   National Transit Database (NTD)     Moderate      Yes\n MARAD                 Enclave 1                              Low        No\n NHTSA                 Support Delivery Services           Moderate      No\n OST                   Case Tracking System (CTS)          Moderate      No\n                       Correspondence Control Management\n OST                   System (CCMS)                       Moderate      No\n OST                   Grant Information System (GIS)        Low         Yes\n OST                   Security Operations Systems          High         Yes\n                       Transportation Integrated Print\n OST                   Transaction System (TIPTS)            Low         Yes\n                       Workman Compensation Information\n OST                   System (WCIS)                       Moderate      No\n PHMSA                 NPMS                                  Low         Yes\n RITA                  Volpe Center PRISM System           Moderate      Yes\nSource: OIG\na\n  See Exhibit B for full Operating Administration names.\n\nAs required, we submitted to OMB key security metrics and qualitative\nassessments pertaining to DOT\xe2\x80\x99s information security program and practices.\nOMB requires that our FISMA submission include information from all DOT\nOperating Administrations, including OIG. For 2009, OMB changed a number of\nsecurity metrics and assessments, and mandated the use of the Web-based\nCyberScope system to input our FISMA results. In addition to preparing our\nsubmission, we reviewed the Department\xe2\x80\x99s progress in resolving weakness\nidentified in our prior year\xe2\x80\x99s FISMA report.\n\nWe performed our information security review work between February 2009 and\nSeptember 2009. We conducted our work at departmental and Operating\nAdministration Headquarters offices in the Washington, D.C., area. We conducted\nour audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\nPrevious audit reports on the Department\xe2\x80\x99s information security program issued in\nresponse to the FISMA legislative mandate (formerly the Government Information\nSecurity Reform Act) include:\n\nDOT Information Security Program, FI-2009-003, October 8, 2008;\nDOT Information Security Program, FI-2008-001, October 10, 2007;\nDOT Information Security Program, FI-2007-002, October 23, 2006;\n\nExhibit A. Scope and Methodology\n\x0c                                                                         23\n\n\n\nDOT Information Security Program, FI-2006-002, October 7, 2005;\nDOT Information Security Program, FI-2005-001, October 1, 2004;\nDOT Information Security Program, FI-2003-086, September 25, 2003;\nDOT Information Security Program, FI-2002-115, September 27, 2002; and\nDOT Information Security Program, FI-2001-090, September 7, 2001.\n\n\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                                24\n\n\n\nEXHIBIT B. DOT OPERATING ADMINISTRATIONS AND SYSTEM\nINVENTORY COUNTS\n\n Operating Administration                                   FY 2009   FY 2008\n Federal Aviation Administration (FAA)                         274        264\n Federal Highway Administration (FHWA)                          21         26\n Federal Motor Carrier Safety Administration (FMCSA)            21         23\n Federal Railroad Administration (FRA)                          12         21\n Federal Transit Administration (FTA)                            5          5\n Maritime Administration (MARAD)                                10         13\n National Highway Traffic Safety Administration (NHTSA)         10         11\n Office of Inspector General (OIG)                               2          2\n Office of the Secretary (OST)                                  36         44\n Pipeline and Hazardous Materials Safety Administration\n                                                                 5         4\n (PHMSA)\n Research and Innovative Technology Administration (RITA)       10         9\n Saint Lawrence Seaway Development Corporation (SLSDC)           1         1\n Surface Transportation Board (STB)                              2         2\n     Total Systems                                             409       425\nSource: OIG, and DOT CSAM as of July 6, 2009\n\n\n\n\nExhibit B. DOT Operating Administrations and System Inventory\nCounts\n\x0c                                                                        25\n\n\n\nEXHIBIT C. Status of Prior Year\xe2\x80\x99s Recommendations\n\n  FY 2008 FISMA         FY 2008 Recommendation                 Status\n      Report\n Recommendation\n     Number\n                  Provide information security\n                  performance metrics to be included in\n                  Operating Administration CIOs\xe2\x80\x99\n       1          performance standards and                   CLOSED\n                  subsequently provide input on their\n                  performance in addressing these\n                  metrics.\n                  Develop and issue comprehensive,\n                  compliant information security policies\n       2                                                      CLOSED\n                  and procedures as required by FISMA,\n                  OMB, and NIST.\n                  Complete review of its draft breach-\n                  notification policy, perform revisions as\n       3          necessary to conform to OMB                 CLOSED\n                  requirements, and issue an official\n                  breach-notification policy.\n                  Review and finalize its plan to reduce\n                  Social Security numbers, and\n       4          implement the reduction of Social           OPEN\n                  Security numbers in the time frame set\n                  forth by OMB.\n                  Issue a policy outlining the rules of\n                  behavior and identifying consequences\n       5                                                      CLOSED\n                  and corrective actions available for\n                  failure to protect privacy.\n                  Establish a departmentwide internal\n                  FISMA cut-off date that allows sufficient\n                  time for the Department to conduct\n                  meaningful internal review, which\n       6                                                      CLOSED\n                  includes evaluating the accuracy of the\n                  data it includes in its FISMA report as\n                  well as time to resolve any potential\n                  disputes with the OIG.\n                  Maintain an adequate audit trail of data\n       7          supporting FISMA reports as of the          CLOSED\n                  selected cut-off date.\n                  Assign a priority to finalizing the DOT\n       8                                                      CLOSED\n                  configuration management policy.\n\n\n\n\nExhibit C. Status of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                       26\n\n\n\n  FY 2008 FISMA         FY 2008 Recommendation                Status\n      Report\n Recommendation\n     Number\n                  Require Operating Administrations to\n                  periodically report status of baseline\n                  configuration compliance and\n       9                                                     CLOSED\n                  independently validate compliance\n                  status reported by Operating\n                  Administrations.\n                  Implement NIST Federal Desktop Core\n                  Configuration settings on the Window\n                  XP workstations on the DOT Common\n                  Operating Environment, require\n                  Operating Administrations to implement\n       10                                                    CLOSED\n                  Federal Desktop Core Configuration\n                  settings on Operating Administrations\xe2\x80\x99\n                  Windows XP workstations, and\n                  document any required deviations from\n                  those settings.\n                  Establish a timetable for Operating\n                  Administrations to work with CSMC to\n       11                                                    CLOSED\n                  deploy monitoring devices covering all\n                  DOT critical networks\n                  Enforce Operating Administrations\xe2\x80\x99\n                  reporting of PII-related security\n       12                                                    CLOSED\n                  incidents to CSMC immediately upon\n                  discovery, as specified in DOT policy.\n                  Revised DOT policies to meet the OMB\n       13                                                    CLOSED\n                  requirement for reporting PII incidents.\n                  Implement procedures for Operating\n       14         Administrations to take timely remedial    CLOSED\n                  action for identified incidents.\n                  Direct CSMC and Operating\n                  Administrations to work together to\n                  collect and share the information\n       15                                                    CLOSED\n                  needed for cyber incident-response\n                  reporting, such as IP-address\n                  assignment and critical logging data.\n                  Enforce the requirements for all\n                  employees and contractors to take\n       16         security-awareness training in order to    CLOSED*\n                  gain and maintain access to\n                  Department systems.\n                  Establish a tracking system or other\n                  process that effectively and routinely\n       17                                                    CLOSED*\n                  accounts for all active contractors\n                  requiring security training.\n\n\n\n\nExhibit C. Status of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                                 27\n\n\n\n  FY 2008 FISMA                   FY 2008 Recommendation                              Status\n      Report\n Recommendation\n     Number\n                           Establish a mechanism to identify and\n           18              train employees and contractors                         CLOSED*\n                           requiring specialized security training.\n                           Include collaborative Web technologies\n           19              in the Department\xe2\x80\x99s required security-                    OPEN\n                           awareness training.\n                           Ensure that all weaknesses that are\n                           identified during reviews, including\n           20              certification and accreditation, and that               CLOSED*\n                           require remediation, are tracked in the\n                           Department\xe2\x80\x99s POA&M system.\n                           Establish adequate policies for\n           21              timeliness of remediation and enforce                    CLOSED\n                           such policies.\n                           Require that all identified weaknesses\n                           include a cost estimate and that these\n           22              estimates, along with the severity of the                CLOSED\n                           weakness, be used to prioritize these\n                           weaknesses for correction.\n                           Implement a process to ensure that all\n                           departmental systems that require e-\n                           authentication are identified in the e-\n           23              authentication system inventory and                      CLOSED\n                           that the necessary e-authentication\n                           supporting documentation is obtained or\n                           developed for these systems.\n                           Ensure that all systems that require e-\n                           authentication have certification and\n                           accreditation packages that include\n           24                                                                       CLOSED\n                           support for e-authentication in the\n                           appropriate sections of their system\n                           security plans and risk assessments.\n                           Validate that e-authentication systems\n           25              have operationally achieved the                           OPEN\n                           required assurance level.\n                           Require development and appropriate\n                           annual testing of system contingency\n                           plans and ensure that tested\n           26                                                                      CLOSED*\n                           contingency plans are updated based\n                           on the results of the contingency plan\n                           tests performed, and\n                           Enforce certification and accreditation\n           27              requirements uniformly throughout the                    CLOSED\n                           Department.\nSource: OIG\n*New recommendations were made in this year\xe2\x80\x99s audit to continue addressing these deficiencies.\n\n\nExhibit C. Status of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                   28\n\n\n\nEXHIBIT D. MAJOR CONTRIBUTORS TO THIS REPORT\nName                               Title\n\nLouis C. King                      Program Director\nDr. Ping Z. Sun                    Program Director for IT Audit\n                                   Computer Laboratory\nMichael Marshlick                  Project Manager\nLissette Mercado                   Project Manager\nKaren Sloan                        Communications Officer\nAtul Darooka                       Information Technology\n                                   Specialist\nMartha Morrobel                    Information Technology\n                                   Specialist\nAnn Moles                          Information Technology\n                                   Specialist\nAnthony Cincotta                   Information Technology\n                                   Specialist\nVasily Gerasimov                   Information Technology\n                                   Specialist\n\n\n\n\nExhibit D. Major Contributors to this Report\n\x0c                                 29\n\n\n APPENDIX. MANAGEMENT COMMENTS\n\n\n\n\nAppendix. Management Comments\n\x0c                                30\n\n\n\n\nAppendix. Management Comments\n\x0c                                                                                               31\n\n\n\nYear 2009 Audit of Department of Transportation\xe2\x80\x99s Information Security Program\n                             and Practice Report\n\n                          Section 508 Compliant Presentation\n\n\n\nTable 1 depicted in the Fiscal Year 2009 Audit of Department of Transportation\xe2\x80\x99s\nInformation Security Program and Practices Report on page 5 titled \xe2\x80\x9cExamples of\nInformation Security Policy Deficiencies by Program Area.\xe2\x80\x9d\n\nThis table presents the Department of Transportation\xe2\x80\x99s policies that lacked critical\nelements to effectively and adequately guide the agency\xe2\x80\x99s information security program\nor address key Office of Management and Budget privacy requirements.\n\nThe following presents the status of Information Security Policy Deficiencies by Program\nArea.\n\nFunctional Description, Program Area, Incident Reporting, defined as detecting,\nreporting, and responding to security incidents, including notifying law enforcement\nagencies and relevant Offices of Inspector General. Office of Inspector General Policy\nEvaluation, the policy does not document the requirement to report incidents to law\nenforcement and the Office of Inspector General as required by the Federal Information\nSecurity Management Act and the Office of Management and Budget.\n\nFunctional Description, Program Area, Plans of Action and Milestones, used to track the\nmeasures implemented to correct deficiencies and to reduce or eliminate known\nvulnerabilities. Office of Inspector General Policy Evaluation, the policy does not\nspecifically identify the required data elements to properly document and report on\ninformation systems\xe2\x80\x99 or programs\xe2\x80\x99 security weaknesses throughout the lifecycle as\nrequired by the Office of Management and Budget. Such information includes:\nDescription of Weaknesses, Scheduled Completion Date, Key Milestones with\nCompletion Dates, Milestone Changes, Source (for example, program review, IG audit,\nGAO audit, etcetera.), and Status.\n\nFunctional Description, Program Area, Security Training, defined as disseminating\nsecurity information that the workforce, both employees and contractors, need to do their\njob. OIG Policy Evaluation, the policy did not address the identification of users with\nlogin privileges to the Department information systems. In addition, it does not identify\nspecific job functions that require specialized security training, such as Chief Information\nOfficer, Information System Security Officer, Database Administrator, etcetera.\n\x0c                                                                                           32\n\n\n\nFunctional Description, Program Area, Contractor Oversight, defined as monitoring the\neffectiveness of the information security for information and information systems that\nsupport the operations and assets of the agency, including those provided or managed by\nanother agency, contractor, or other source. Office of Inspector General Policy\nEvaluation, the policy did not contain contractor oversight provisions that would ensure\nthat proper security for the contracted information and systems are in adherence with\nNational Institute of Standards and Technology, Office of Management and Budget, and\nFederal Information Security Management Act requirements.\n\nFunctional Description, Program Area, External Interfaces, defined as enforcing System\nInterconnection/Information Sharing and Interconnection Security Agreement,\nMemorandum of Understanding, or Memorandum of Agreement between systems that\nshare data that are owned or operated by different organizations. Office of Inspector\nGeneral Policy Evaluation, the policy does not provide any guidance on the preparation\nof these critical interface agreements nor does it address key elements of National\nInstitute of Standards and Technology guidance.\n\n\nTable 2 depicted in the Fiscal Year 2009 Audit of Department of Transportation\xe2\x80\x99s\nInformation Security Program and Practices Report on page 7 titled \xe2\x80\x9cSummary of\nIncidents Missing United States Computer Emergency Readiness Team Reference\nNumbers.\xe2\x80\x9d\n\nThis table presents the number of security incidents which did not have a United States\nComputer Emergency Readiness Team reference numbers for each incident category\ntype.\n\nIncidents Missing Reference Numbers, Category 1, Unauthorized Access (for example,\nPersonally Identifiable Information Breach), 107, Percentage, 14.\n\nIncidents Missing Reference Numbers, Category 2, Denial of Service, 0, Percentage, 0.\n\nIncidents Missing Reference Numbers, Category 3, Malicious Code, 393, Percentage, 53.\n\nIncidents Missing Reference Numbers, Category 4, Improper Usage, 170, Percentage, 23.\n\nIncidents Missing Reference Numbers, Category 5, Scans, Probes, Attempted Access, 73,\nPercentage, 10.\n\nIncidents Missing Reference Numbers, Total Security Incidents, 743, Percentage 100.\n\x0c                                                                                           33\n\n\n\nTable 3, depicted in the Fiscal Year 2009 Audit of Department of Transportation\xe2\x80\x99s\nInformation Security Program and Practices Report, on page 9, titled \xe2\x80\x9cUnreported Job\nFunctions and Estimated Employees Requiring Specialized Training.\xe2\x80\x9d\n\nThis table presents the number of estimated employees, grouped by job function and\nOperating Administration, that should have taken specialized training, but did not.\n\nChief Information Officer, Federal Railroad Administration, 1, Federal Transit\nAdministration, 1, Maritime Administration, 1, National Highway Traffic Safety\nAdministration, 1, Office of Inspector General, 1, Office of the Secretary, 1, Research\nand Innovative Technology Administration, 1, Saint Lawrence Seaway Development\nCorporation, 1, Surface Transportation Board, 1, Total Unreported, 9.\n\nInformation System Security Officer or Information System Security Manager, Federal\nTransit Administration, 1, Office of the Secretary, 1, Saint Lawrence Seaway\nDevelopment Corporation, 1, Surface Transportation Board, 1, Total Unreported, 4.\n\nSystem Administrator, Federal Railroad Administration, 1, Federal Transit\nAdministration, 1, Maritime Administration, 1, National Highway Traffic Safety\nAdministration, 1, Office of the Secretary, 1, Research and Innovative Technology\nAdministration, 1, Saint Lawrence Seaway Development Corporation, 1, Surface\nTransportation Board, 1, Total Unreported, 8.\n\nSystem Designer and Developers, Federal Railroad Administration, 1, Federal Transit\nAdministration, 1, Maritime Administration, 1, National Highway Traffic Safety\nAdministration, 1, Office of Inspector General, 1, Office of the Secretary, 1, Research\nand Innovative Technology Administration, 1, Saint Lawrence Seaway Development\nCorporation, 1, Surface Transportation Board, 1, Total Unreported, 9.\n\nNetwork Administrator, Federal Railroad Administration, 1, Federal Transit\nAdministration, 1, Maritime Administration, 1, National Highway Traffic Safety\nAdministration, 1, Office of the Secretary, 1, Research and Innovative Technology\nAdministration, 1, Saint Lawrence Seaway Development Corporation, 1, Surface\nTransportation Board, 1, Total Unreported, 8.\n\nDatabase Administrator, Federal Railroad Administration, 1, Federal Transit\nAdministration, 1, Maritime Administration, 1, National Highway Traffic Safety\nAdministration, 1, Office of Inspector General, 1, Office of the Secretary, 1, Research\nand Innovative Technology Administration, 1, Saint Lawrence Seaway Development\nCorporation, 1, Surface Transportation Board, 1, Total Unreported, 9.\n\nSystem Certifier, Federal Railroad Administration, 1, Federal Transit Administration, 1,\nMaritime Administration, 1, National Highway Traffic Safety Administration, 1, Office\n\x0c                                                                                           34\n\n\n\nof the Secretary, 1, Research and Innovative Technology Administration, 1, Saint\nLawrence Seaway Development Corporation, 1, Surface Transportation Board, 1, Total\nUnreported, 8.\n\nDesignated Authorizing Authority, Federal Railroad Administration, 1, Federal Transit\nAdministration, 1, Maritime Administration, 1, National Highway Traffic Safety\nAdministration, 1, Office of the Secretary, 1, Research and Innovative Technology\nAdministration, 1, Saint Lawrence Seaway Development Corporation, 1, Surface\nTransportation Board, 1, Total Unreported, 8.\n\nTotal Unreported, Federal Railroad Administration, 7, Federal Transit Administration, 8,\nMaritime Administration, 7, National Highway Traffic Safety Administration, 7, Office\nof Inspector General, 3, Office of the Secretary, 8, Research and Innovative Technology\nAdministration, 7, Saint Lawrence Seaway Development Corporation, 8, Surface\nTransportation Board, 8, Total Unreported, 63.\n\nTable 4, depicted in the Fiscal Year 2009 Audit of Department of Transportation\xe2\x80\x99s\nInformation Security Program and Practices Report, on page 10, titled \xe2\x80\x9cSummary of\nOverdue Plan of Action and Milestones.\xe2\x80\x9d\n\nThis table presents the number of Open Plan of Action and Milestones for each Operating\nAdministration and a breakdown how long overdue they are, how many did not have\ntarget completion dates, and how many had future scheduled completion dates.\n\nDOT Programs, Total Plan of Action of Milestones, 69, 1 to 60 days overdue, 0, 61 to 90\ndays overdue, 0, 91 to 120 days overdue, 0, 121 to 1 year overdue, 1, more than a year\noverdue, 64, Total Overdue, 65, No Target Completion Date, 1, Future Scheduled\nCompletion Date, 3.\n\nFederal Aviation Administration, Total Plan of Action of Milestones, 4397, 1 to 60 days\noverdue, 148, 61 to 90 days overdue, 34, 91 to 120 days overdue, 14, 121 to 1 year\noverdue, 56, more than a year overdue, 9, Total Overdue, 261, No Target Completion\nDate, 7, Future Scheduled Completion Date, 4129.\n\nFederal Highway Administration, Total Plan of Action of Milestones, 514, 1 to 60 days\noverdue, 52, 61 to 90 days overdue, 0, 91 to 120 days overdue, 1, 121 to 1 year overdue,\n73, more than a year overdue, 89, Total Overdue, 215, No Target Completion Date, 0,\nFuture Scheduled Completion Date, 299.\n\nFederal Motor Carrier Safety Administration, Total Plan of Action of Milestones, 3, 1 to\n60 days overdue, 0, 61 to 90 days overdue, 0, 91 to 120 days overdue, 0, 121 to 1 year\noverdue, 0, more than a year overdue, 2, Total Overdue, 2, No Target Completion Date,\n0, Future Scheduled Completion Date, 1.\n\x0c                                                                                             35\n\n\n\n\nFederal Railroad Administration, Total Plan of Action of Milestones, 20, 1 to 60 days\noverdue, 20, 61 to 90 days overdue, 0, 91 to 120 days overdue, 0, 121 to 1 year overdue,\n0, more than a year overdue, 0, Total Overdue, 20, No Target Completion Date, 0, Future\nScheduled Completion Date, 0.\n\nFederal Transit Administration, Total Plan of Action of Milestones, 50, 1 to 60 days\noverdue, 5, 61 to 90 days overdue, 7, 91 to 120 days overdue, 0, 121 to 1 year overdue,\n23, more than a year overdue, 0, Total Overdue, 35, No Target Completion Date, 0,\nFuture Scheduled Completion Date, 15.\n\nMaritime Administration, Total Plan of Action of Milestones, 0, 1 to 60 days overdue, 0,\n61 to 90 days overdue, 0, 91 to 120 days overdue, 0, 121 to 1 year overdue, 0, more than\na year overdue, 0, Total Overdue, 0, No Target Completion Date, 0, Future Scheduled\nCompletion Date, 0.\n\nNational Highway Traffic Safety Administration, Total Plan of Action of Milestones, 7, 1\nto 60 days overdue, 0, 61 to 90 days overdue, 0, 91 to 120 days overdue, 0, 121 to 1 year\noverdue, 0, more than a year overdue, 6, Total Overdue, 6, No Target Completion Date,\n0, Future Scheduled Completion Date, 1.\n\nOffice of Inspector General, Total Plan of Action of Milestones, 18, 1 to 60 days\noverdue, 2, 61 to 90 days overdue, 2, 91 to 120 days overdue, 2, 121 to 1 year overdue, 8,\nmore than a year overdue, 0, Total Overdue, 14, No Target Completion Date, 2, Future\nScheduled Completion Date, 2.\n\nOffice of the Secretary, Total Plan of Action of Milestones, 149, 1 to 60 days overdue,\n10, 61 to 90 days overdue, 0, 91 to 120 days overdue, 127, 121 to 1 year overdue, 0, more\nthan a year overdue, 0, Total Overdue, 137, No Target Completion Date, 1, Future\nScheduled Completion Date, 11.\n\nPipeline and Hazardous Materials Safety Administration, Total Plan of Action of\nMilestones, 128, 1 to 60 days overdue, 0, 61 to 90 days overdue, 0, 91 to 120 days\noverdue, 0, 121 to 1 year overdue, 0, more than a year overdue, 128, Total Overdue, 128,\nNo Target Completion Date, 0, Future Scheduled Completion Date, 0.\n\nResearch and Innovative Technology Administration, Total Plan of Action of Milestones,\n19, 1 to 60 days overdue, 0, 61 to 90 days overdue, 0, 91 to 120 days overdue, 0, 121 to 1\nyear overdue, 0, more than a year overdue, 1, Total Overdue, 1, No Target Completion\nDate, 18, Future Scheduled Completion Date, 0.\n\nSaint Lawrence Seaway Development Corporation, Total Plan of Action of Milestones, 1,\n1 to 60 days overdue, 0, 61 to 90 days overdue, 0, 91 to 120 days overdue, 0, 121 to 1\n\x0c                                                                                             36\n\n\n\nyear overdue, 0, more than a year overdue, 0, Total Overdue, 0, No Target Completion\nDate, 1, Future Scheduled Completion Date, 0.\n\nSurface Transportation Board, Total Plan of Action of Milestones, 67, 1 to 60 days\noverdue, 0, 61 to 90 days overdue, 0, 91 to 120 days overdue, 0, 121 to 1 year overdue, 0,\nmore than a year overdue, 52, Total Overdue, 52, No Target Completion Date, 15, Future\nScheduled Completion Date, 0.\n\nTotal, Total Plan of Action of Milestones, 5442, 1 to 60 days overdue, 237, Percentage, 4,\n61 to 90 days overdue, 43, Percentage, 1, 91 to 120 days overdue, 144, Percentage, 3, 121\nto 1 year overdue, 161, Percentage, 3, more than a year overdue, 351, Percentage, 6,\nTotal Overdue, 936, Percentage, 17, No Target Completion Date, 45, Percentage, 1,\nFuture Scheduled Completion Date, 4461, Percentage, 82.\n\nTable 5, depicted in the Fiscal Year 2009 Audit of Department of Transportation\xe2\x80\x99s\nInformation Security Program and Practices Report, on page 11, titled \xe2\x80\x9cOIG Plan of\nAction and Milestone Data Analysis Comparison Results.\xe2\x80\x9d\n\nThis table presents the discrepancies found between the Plan of Action and Milestone\ndatabase and the Security and Privacy Posture Summary Status Report, which is used by\nthe Office of the Chief Information Officer to monitor Operating Administrations\xe2\x80\x99\nprogress in correcting identified security weaknesses.\n\nTotal Number of Open Plan of Action Milestones, Office of the Chief Information\nOfficers Report, 4674, Plan of Action and Milestones Database, 5442, Difference, 768.\n\nPlan of Action and Milestones not Categorized, Office of the Chief Information Officers\nReport, 247, Plan of Action and Milestones Database, 395, Difference, 148.\n\nUnidentified Cost, Office of the Chief Information Officers Report, 0, Plan of Action and\nMilestones Database, 2393, Difference, 2393.\n\nOverdue Plan of Action of Milestones, Office of the Chief Information Officers Report,\n276, Plan of Action and Milestones Databse, 936, Difference, 660.\n\nTable 6, depicted in the Fiscal Year 2009 Audit of Department of Transportation\xe2\x80\x99s\nInformation Security Program and Practices Report, on page 14, titled \xe2\x80\x9cSample Systems\nResults Summary by Operating Administration.\xe2\x80\x9d\n\nThis table summarizes our review of the sampled certification and accreditation packages\nprovided by Operating Administrations. The table provides the number of systems\nsampled in each Operating Administration, the number of systems with non-compliant\n\x0c                                                                                            37\n\n\n\ncertification and accreditations, the number of systems without annual testing, and the\nnumber of systems without tested contingency plans.\n\nNumber of Sampled Systems, Federal Aviation Administration, 28, Federal Highway\nAdministration, 1, Federal Motor Carrier Safety Administration, 3, Federal Railroad\nAdministration, 1, Federal Transit Administration, 2, Maritime Administration, 1,\nNational Highway Transportation Safety Administration, 1, Office of the Secretary, 6,\nPipeline and Hazardous Materials Safety Administration, 1, Research and Innovative\nTechnology Administration, 1, Total 45.\n\nSystems without fully compliant certification and accreditations, Federal Aviation\nAdministration, 22, Federal Highway Administration, 0, Federal Motor Carrier Safety\nAdministration, 0, Federal Railroad Administration, 0, Federal Transit Administration, 0,\nMaritime Administration, 1, National Highway Transportation Safety Administration, 0,\nOffice of the Secretary, 2, Pipeline and Hazardous Materials Safety Administration, 0,\nResearch and Innovative Technology Administration, 0, Total 25.\n\nSystems without annual testing, Federal Aviation Administration, 5, Federal Highway\nAdministration, 0, Federal Motor Carrier Safety Administration, 2, Federal Railroad\nAdministration, 0, Federal Transit Administration, 0, Maritime Administration, 1,\nNational Highway Transportation Safety Administration, 1, Office of the Secretary, 0,\nPipeline and Hazardous Materials Safety Administration, 0, Research and Innovative\nTechnology Administration, 0, Total 9.\n\nSystems without tested contingency plans, Federal Aviation Administration, 16, Federal\nHighway Administration, 1, Federal Motor Carrier Safety Administration, 0, Federal\nRailroad Administration, 1, Federal Transit Administration, 0, Maritime Administration,\n1, National Highway Transportation Safety Administration, 0, Office of the Secretary, 2,\nPipeline and Hazardous Materials Safety Administration, 1, Research and Innovative\nTechnology Administration, 0, Total 22.\n\n\nTable 7, depicted in the Fiscal Year 2009 Audit of Department of Transportation\xe2\x80\x99s\nInformation Security Program and Practices Report, on page 15, titled \xe2\x80\x9cDOT\nImplementation of Office of Management and Budget Privacy Initiatives.\xe2\x80\x9d\n\nThis table summarizes the Department of Transportation\xe2\x80\x99s status in implementing the\nOffice of Management and Budget privacy initiatives in the areas of social security\nnumber reduction, two-factor authentication, and encryption of personally identifiable\ninformation on mobile devices.\n\nOMB Initiative, Complete Social Security Number and Personally Identifiable\nInformation Reduction, Status, the Department of Transportation identified 25 systems\n\x0c                                                                                           38\n\n\n\nthat can reduce use of social security numbers. Only 5 systems have completed a plan to\ndo so. In addition, FAA does not plan to eliminate unnecessary use of social security\nnumbers until 2015.\n\nOMB Initiative, Allow remote access only with two-factor authentication where one of\nthe factors is provided by a device separate from the computer gaining access, Status,\nTwo-factor authentication delayed until the Department of Transportation implements\nHomeland Security Presidential Directive 12.\n\nOMB Initiative, ensure that all personally identifiable information stored or carried on\nmobile computers and devices is encrypted using National Institute of Standards and\nTechnology approved encryption. Status, as of July 2, 2009, 592 out of 11723 mobile\ndevices from the Department have not had National Institute of Standards and\nTechnology approved encryption applied. However, no data were available for Federal\nAviation Administration and Federal Highway Administration.\n\nTable 8, depicted in the Fiscal Year 2009 Audit of Department of Transportation\xe2\x80\x99s\nInformation Security Program and Practices Report on page 20, 21, 22 and 23, titled\n\xe2\x80\x9cOffice of Inspector General\xe2\x80\x99s Representative Subset of Department of Transportation\nSystems.\xe2\x80\x9d\n\nThis table lists the 45 systems selected as part of the Office of Inspector General\xe2\x80\x99s\nrepresentative sample of the Department of Transportation\xe2\x80\x99s systems along with their\ncorresponding Operating Administration, Impact Level, and whether it is a contractor\nsystem.\n\nOperating Administration, Federal Aviation Administration, System Name,\nAccident/Incident and Enforcement Query Tool, Impact Level, Moderate, Contractor\nSystem, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Security and\nHazardous Materials Office Headquarter Local Area Network, Impact Level, Moderate,\nContractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Security and\nHazardous Materials Office Local Area Networks, Impact Level, Moderate, Contractor\nSystem, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Air Traffic\nOrganization Consolidated Local Area Network, Impact Level, Low, Contractor System,\nNo.\n\x0c                                                                                        39\n\n\n\nOperating Administration, Federal Aviation Administration, System Name, Air Traffic\nOrganization Network, Impact Level, Moderate, Contractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Aviation\nSafety Information Analysis and Sharing System, Impact Level, Moderate, Contractor\nSystem, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Capability\nand Architecture Tool Suite, Impact Level, Low, Contractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Collaborative\nRouting Coordination Tool, Impact Level, Low, Contractor System, No.\nOperating Administration, Federal Aviation Administration, System Name, Delphi\nTracking System, Impact Level, Moderate, Contractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Eastern\nRegion Office of Government Ethics 450, Impact Level, Moderate, Contractor System,\nNo.\n\nOperating Administration, Federal Aviation Administration, System Name, Enterprise\nArchitecture Portal Metadata Repository, Impact Level, Low, Contractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Excellence\nthrough Quality Reliance, Impact Level, Moderate, Contractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Flight\nService for the Twenty First Century, Impact Level, Moderate, Contractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Flight\nSystems Laboratory Software Tool Set, Impact Level, Low, Contractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Information\nTechnology Asset Management System, Impact Level, Low, Contractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Integrated\nRulemaking Management Information System, Impact Level, High, Contractor System,\nNo.\n\nOperating Administration, Federal Aviation Administration, System Name, Monitor\nSafety Related Data / Aviation Safety Accident Prevention Program, Impact Level,\nModerate, Contractor System, No.\n\x0c                                                                                       40\n\n\n\nOperating Administration, Federal Aviation Administration, System Name, National\nAirspace Data Interchange Network Message Switch Rehost, Impact Level, Moderate,\nContractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, National\nAirspace System Technical Evaluation Program, Impact Level, Low, Contractor System,\nNo.\n\nOperating Administration, Federal Aviation Administration, System Name, Office of\nAirports Local Area Networks, Impact Level, Moderate, Contractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Operations\nSpecifications Sub-System, Impact Level, High, Contractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Payback,\nImpact Level, Moderate, Contractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Risk Based\nResource Targeting, Impact Level, Moderate, Contractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Safety\nProgram Notification System, Impact Level, Moderate, Contractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Selections\nWithin Faster Times, Impact Level, Moderate, Contractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Staffing and\nCost Analysis Tool, Impact Level, Moderate, Contractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name, Voice\nSwitching and Control System, Impact Level, Moderate, Contractor System, No.\n\nOperating Administration, Federal Aviation Administration, System Name,\nWhistleblower Protection Program, Impact Level, High, Contractor System, No.\n\nOperating Administration, Federal Highway Administration, System Name, Delphi\nInterface Maintenance System, Impact Level, High, Contractor System, No.\n\nOperating Administration, Federal Motor Carrier Safety Administration, System Name,\nCommercial Vehicle Information Systems and Networks Web Site, Impact Level, Low,\nContractor System, No.\n\x0c                                                                                         41\n\n\n\nOperating Administration, Federal Motor Carrier Safety Administration, System Name,\nCompass, Impact Level, Moderate, Contractor System, No.\n\nOperating Administration, Federal Motor Carrier Safety Administration, System Name,\nGotham, Impact Level, Moderate, Contractor System, No.\n\nOperating Administration, Federal Railroad Administration, System Name, Railroad\nCredit Risk Assessment, Impact Level, Low, Contractor System, No.\n\nOperating Administration, Federal Transit Administration, System Name, Federal Transit\nAdministration Internet Intranet, Impact Level, Moderate, Contractor System, Yes.\n\nOperating Administration, Federal Transit Administration, System Name, National\nTransit Database, Impact Level, Moderate, Contractor System, Yes.\n\nOperating Administration, Maritime Administration, System Name, Enclave 1, Impact\nLevel, Low, Contractor System, No.\n\nOperating Administration, National Highway Transportation Safety Administration,\nSystem Name, Support Delivery Services, Impact Level, Moderate, Contractor System,\nNo.\n\nOperating Administration, Office of the Secretary, System Name, Case Tracking System,\nImpact Level, Moderate, Contractor System, No.\n\nOperating Administration, Office of the Secretary, System Name, Correspondence\nControl Management System, Impact Level, Moderate, Contractor System, No.\n\nOperating Administration, Office of the Secretary, System Name, Grant Information\nSystem, Impact Level, Low, Contractor System, Yes.\n\nOperating Administration, Office of the Secretary, System Name, Security Operations\nSystems, Impact Level, High, Contractor System, Yes.\n\nOperating Administration, Office of the Secretary, System Name, Transportation\nIntegrated Print Transaction System, Impact Level, Low, Contractor System, Yes.\n\nOperating Administration, Office of the Secretary, System Name, Workman\nCompensation Information System, Impact Level, Moderate, Contractor System, No.\n\nOperating Administration, Pipeline and Hazardous Materials Safety Administration,\nSystem Name, National Pipeline Management System, Impact Level, Low, Contractor\nSystem, Yes.\n\x0c                                                                                           42\n\n\n\n\nOperating Administration, Research and Innovative Technology Administration, System\nName, Volpe Center PRISM System, Impact Level, Moderate, Contractor System, Yes.\n\nExhibit B, depicted in the Fiscal Year 2009 Audit of Department of Transportation\xe2\x80\x99s\nInformation Security Program and Practices Report, page 24, titled \xe2\x80\x9cDepartment of\nTransportation Operating Administrations and System Inventory Counts.\xe2\x80\x9d This table\nprovides the number of systems reported by each Operating Administration in Fiscal\nYears 2008 and 2009.\n\nFederal Aviation Administration reported 274 systems in Fiscal Year 2009 and 264\nsystems in Fiscal Year 2008.\n\nFederal Highway Administration reported 21 systems in Fiscal Year 2009 and 26 systems\nin Fiscal Year 2008.\n\nFederal Motor Carrier Safety Administration reported 21 systems in Fiscal Year 2009 and\n23 systems in Fiscal Year 2008.\n\nFederal Railroad Administration reported 12 systems in Fiscal Year 2009 and 21 systems\nin Fiscal Year 2008.\n\nFederal Transit Administration reported 5 systems in Fiscal Year 2009 and 5 systems in\nFiscal Year 2008.\n\nMaritime Administration reported 10 systems in Fiscal Year 2009 and 13 systems in\nFiscal Year 2008.\n\nNational Highway Traffic Safety Administration reported 10 systems in Fiscal Year 2009\nand 11 systems in Fiscal Year 2008.\n\nOffice of Inspector General reported 2 systems in Fiscal Year 2009 and 2 systems in\nFiscal Year 2008.\n\nOffice of the Secretary reported 36 systems in Fiscal Year 2009 and 44 systems in Fiscal\nYear 2008.\n\nPipeline and Hazardous Materials Safety Administration reported 5 systems in Fiscal\nYear 2009 and 4 systems in Fiscal Year 2008.\n\n\nResearch and Innovative Technology Administration reported 10 systems in Fiscal Year\n2009 and 9 systems in Fiscal Year 2008.\n\x0c                                                                                            43\n\n\n\n\nSaint Lawrence Seaway Development Corporation reported 1 system in Fiscal Year 2009\nand 1 system in Fiscal Year 2008.\n\nSurface Transportation Board reported 2 systems in Fiscal Year 2009 and 2 systems in\nFiscal Year 2008.\n\nIn total, the Department of Transportation reported 409 systems in Fiscal Year 2009 and\n425 systems in Fiscal Year 2008.\n\n\nExhibit C, depicted in the Fiscal Year 2009 Audit of Department of Transportation\xe2\x80\x99s\nInformation Security Program and Practices Report on pages 25, 26, and 27, titled \xe2\x80\x9cStatus\nof Prior Year\xe2\x80\x99s Recommendations.\xe2\x80\x9d This table provides a listing of the recommendations\nmade in the Fiscal Year 2008 Federal Information Security Management Act audit and\ntheir current status.\n\nFiscal Year 2008, Recommendation 1, Provide information security performance metrics\nto be included in Operating Administration Chief Information Officers performance\nstandards and subsequently provide input on their performance in addressing these\nmetrics, Status, Closed.\n\nFiscal Year 2008, Recommendation 2, Develop and issue comprehensive, compliant\ninformation security policies and procedures as required by the Federal Information\nSecurity Management Act, the Office of Management and Budget, and the National\nInstitute of Standards and Technology, Status, Closed.\n\nFiscal Year 2008, Recommendation 3, Complete review of its draft breach-notification\npolicy, perform revisions as necessary to conform to the Office of Management and\nBudget requirements, and issue an official breach-notification policy, Status, Closed.\n\nFiscal Year 2008, Recommendation 4, Review and finalize its plan to reduce Social\nSecurity numbers, and implement the reduction of Social Security numbers in the time\nframe set forth by Office of Management and Budget, Status, Open.\n\nFiscal Year 2008, Recommendation 5, Issue a policy outlining the rules of behavior and\nidentifying consequences and corrective actions available for failure to protect privacy,\nStatus, Closed.\n\nFiscal Year   2008, Recommendation 6, Establish a department-wide internal Federal\nInformation   Security Management Act cut-off date that allows sufficient time for the\nDepartment    to conduct meaningful internal review, which includes evaluating the\naccuracy of   the data it includes in its Federal Information Security Management Act\n\x0c                                                                                             44\n\n\n\nreport as well as time to resolve any potential disputes with the Office of the Inspector\nGeneral, Status, Closed.\n\nFiscal Year 2008, Recommendation 7, Maintain an adequate audit trail of data supporting\nthe Federal Information Security Management Act reports as of the selected cut-off date,\nStatus, Closed.\n\nFiscal Year 2008, Recommendation 8, Assign a priority to finalizing the Department of\nTransportation configuration management policy, Status, Closed.\n\nFiscal Year 2008, Recommendation 9, Require Operating Administrations to periodically\nreport status of baseline configuration compliance and independently validate compliance\nstatus reported by Operating Administrations, Status, Closed.\n\nFiscal Year 2008, Recommendation 10, Implement National Institute of Standards and\nTechnology Federal Desktop Core Configuration settings on the Window X.P.\nworkstations on the Department of Transportation Common Operating Environment,\nrequire Operating Administrations to implement Federal Desktop Core Configuration\nsettings on Operating Administrations Windows X.P. workstations, and document any\nrequired deviations from those settings, Status, Closed.\n\nFiscal Year 2008, Recommendation 11, Establish a timetable for Operating\nAdministrations to work with the Cyber Security Management Center to deploy\nmonitoring devices covering all Department of Transportation critical networks, Status,\nClosed.\n\nFiscal Year 2008, Recommendation 12, Enforce Operating Administrations\xe2\x80\x99 reporting of\nPersonally Identifiable Information related security incidents to the Cyber Security\nManagement Center immediately upon discovery, as specified by Department of\nTransportation policy, Status, Closed.\n\nFiscal Year 2008, Recommendation 13, Revise Department of Transportation policies to\nmeet the Office of Management and Budget requirement for reporting Personally\nIdentifiable Information incidents, Status, Closed.\n\nFiscal Year 2008, Recommendation 14, Implement procedures for Operating\nAdministrations to take timely remedial action for identified incidents, Status, Closed.\n\nFiscal Year 2008, Recommendation 15, Direct the Cyber Security Management Center\nand Operating Administrations to work together to collect and share the information\nneeded for cyber incident-response reporting, such as I.P.-address assignment and critical\nlogging data, Status, Closed.\n\x0c                                                                                               45\n\n\n\nFiscal Year 2008, Recommendation 16, Enforce the requirements for all employees and\ncontractors to take security-awareness training in order to gain and maintain access to\nDepartment systems, Status, Closed, however new recommendations were made in this\nyear\xe2\x80\x99s audit to continue addressing these deficiencies.\n\nFiscal Year 2008, Recommendation 17, Establish a tracking system or other process that\neffectively and routinely accounts for all active contractors requiring security training,\nStatus, Closed, however new recommendations were made in this year\xe2\x80\x99s audit to continue\naddressing these deficiencies.\n\nFiscal Year 2008, Recommendation 18, Establish a mechanism to identify and train\nemployees and contractors requiring specialized security training, Status, Closed,\nhowever new recommendations were made in this year\xe2\x80\x99s audit to continue addressing\nthese deficiencies.\n\nFiscal Year 2008, Recommendation 19, Include collaborative Web technologies in the\nDepartment\xe2\x80\x99s required security-awareness training, Status, Open.\n\nFiscal Year 2008, Recommendation 20, Ensure that all weaknesses that are identified\nduring reviews, including certification and accreditation, and that require remediation, are\ntracked in the Department\xe2\x80\x99s POA&M system, Status, Closed, however new\nrecommendations were made in this year\xe2\x80\x99s audit to continue addressing these\ndeficiencies.\n\nFiscal Year 2008, Recommendation 21, Establish adequate policies for timeliness of\nremediation and enforce such policies, Status, Closed.\n\nFiscal Year 2008, Recommendation 22, Require that all identified weaknesses include a\ncost estimate and that these estimates, along with the severity of the weakness, be used to\nprioritize these weaknesses for correction, Status, Closed.\n\nFiscal Year 2008, Recommendation 23, Implement a process to ensure that all\ndepartmental systems that require e-authentication are identified in the e-authentication\nsystem inventory and that the necessary e-authentication supporting documentation is\nobtained or developed for these systems, Status, Closed.\n\nFiscal Year 2008, Recommendation 24, Ensure that all systems that require e-\nauthentication have certification and accreditation packages that include support for e-\nauthentication in the appropriate sections of their system security plans and risk\nassessments, Status, Closed.\n\nFiscal Year 2008, Recommendation 25, Validate that e-authentication systems have\noperationally achieved the required assurance level, Status, Open.\n\x0c                                                                                           46\n\n\n\n\nFiscal Year 2008, Recommendation 26, Require development and appropriate annual\ntesting of system contingency plans and ensure that tested contingency plans are updated\nbased on the results of the contingency plan tests performed, Status, Closed, however\nnew recommendations were made in this year\xe2\x80\x99s audit to continue addressing these\ndeficiencies.\n\nFiscal Year 2008, Recommendation 27, Enforce certification and accreditation\nrequirements uniformly throughout the Department, Status, Closed.\n\x0c'